MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c68e4ba7f18ef3c7eac80df743e53f5c9b4e9d05778d0b7388c5c66962459c76. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c68e4ba7f18ef3c7eac80df743e53f5c9b4e9d05778d0b7388c5c66962459c76
SHA3-384 hash: 1401cddc875e38e412749caf95c97b4ed408c453637262753deadb72eb9ebe94e4d52c84049135fc799f0f7aaf061219
SHA1 hash: 9b683241ce62079185c5e226ef234cf3d9dd4f67
MD5 hash: 8c1b764f1ab0c13c0da13ed7db90b4f4
humanhash: violet-butter-south-dakota
File name:GLOWTEXX_080222.pdf.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:476'672 bytes
First seen:2022-02-08 07:56:12 UTC
Last seen:2022-02-08 10:54:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:pv4Gp/3POJDHwV3otYD9sRpjwbIMTJU+/sQp1VqVsAEGIi43sxpk1:pJ9cbyhyQbhJUC7Cp43s41
Threatray 3'176 similar samples on MalwareBazaar
TLSH T160A46A2F49BE113AC6BCCB7198C0CE1FF426D5563937692D2A9626D905232F374D222F
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
GLOWTEXX_080222.pdf.exe
Verdict:
Malicious activity
Analysis date:
2022-02-08 09:31:09 UTC
Tags:
evasion trojan snakekeylogger keylogger
Link:
https://app.any.run/tasks/169dd1c5-d8a1-4558-b583-066a70847eb5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/237791/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.25375.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Sending an HTTP GET request
Reading critical registry keys
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Forced shutdown of a browser
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/6202224f4077c8b9a0204e52/reports/f2392668-ce30-4eef-aced-c8954ed85f36/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1f38ea28-93ea-4c52-b9d1-12981fbb589c
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/935997
Behaviour
Behavior Graph:
n/a
Detection:
snakekeylogger
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c68e4ba7f18ef3c7eac80df743e53f5c9b4e9d05778d0b7388c5c66962459c76/
Threat name:
ByteCode-MSIL.Trojan.Snakekeylogger
Create hunting rule
Status:
Malicious
First seen:
2022-02-08 07:57:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y2hexj7rr3z4p2wibx3uhzj7lsnu5hifo6gqw44iyxdgsysftr3a._file
Verdict:
malicious
Similar samples:
1861855b22d693257e4e3463667e53ae08711a684747fdd32f49c3e7b9c7f04f
SnakeKeylogger
200a5cb8bf6489144c66e3b85eaeec5327dc66321001f4c0fda42840d0f230ec
SnakeKeylogger
25002a8f723189cf80ad649d7af9ccf8c389291bb64e2eed7665e7a21823634b
SnakeKeylogger
2bf24741d28e493dd3c0fabc7478edccab0bc3835b2648c09ba153c94c065f3c
SnakeKeylogger
7651401ef8594540124a5a42c64653b9d8a977c331fe96aacb0a82e13e04be5d
SnakeKeylogger
81d5d914a49e58d34c9ee74256ea3ec53be8df0205cb383d7d565c88dd69ecc9
SnakeKeylogger
eaa87e5a31cc4ed714404e74023ace54451cee57aa53ed39bdbdb6ad13609f3e
SnakeKeylogger
f2725ad45e1ca66ad1380ce1e59e43b9793c4cdfdba0eb023aba15ce7a4e102e
SnakeKeylogger
f6bd17e868cccb7e82fa32769dd5db9c5a8f2daf1676492b87c37d33e2565877
SnakeKeylogger
+ 3'166 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/220208-js9mjaegar/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5194129538:AAGSbTTRTil2LgbOQ_c9ol0T0zffUdTAD0I/sendMessage?chat_id=1856108848
Unpacked files
SH256 hash:
7abb3389da1cb1825224903e479764df079eaeb8eb9b11fd99cd2ceccdbcbe53
MD5 hash:
40ac7bdd5e43d352dfee31d841ffa4a1
SHA1 hash:
9097a86a6db91212c08a92a673e858eab6b9e771
Link:
https://www.unpac.me/results/7ed1ce8f-ffaf-41cb-b2d4-f8ec08cd3ae3/
SH256 hash:
0cc119786b104cf0aa261a208bf38802b339774ff3d7a42afcd8329d2d7d21c9
MD5 hash:
263b5190f7ac42d83c756dcdf38147bb
SHA1 hash:
78f419fe3936ed7d603706c47230cd3e6ff79ffe
Link:
https://www.unpac.me/results/7ed1ce8f-ffaf-41cb-b2d4-f8ec08cd3ae3/
SH256 hash:
99204f808f1f7e65f7bbce4f346ef3141e55cb91cb4cd1396992a2facddfc05a
MD5 hash:
0a9147c6a4e2a72a8ee211e75f8b7024
SHA1 hash:
773f16d81b668a44abf32212cb194913da18afeb
Link:
https://www.unpac.me/results/7ed1ce8f-ffaf-41cb-b2d4-f8ec08cd3ae3/
SH256 hash:
c68e4ba7f18ef3c7eac80df743e53f5c9b4e9d05778d0b7388c5c66962459c76
MD5 hash:
8c1b764f1ab0c13c0da13ed7db90b4f4
SHA1 hash:
9b683241ce62079185c5e226ef234cf3d9dd4f67
Link:
https://www.unpac.me/results/7ed1ce8f-ffaf-41cb-b2d4-f8ec08cd3ae3/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/237791/

Comments